Examice

Exam DOP-C02 All QuestionsBrowse all questions from this exam

Question 228

A DevOps team has created a Custom Lambda rule in AWS Config. The rule monitors Amazon Elastic Container Repository (Amazon ECR) policy statements for ecr:* actions. When a noncompliant repository is detected, Amazon EventBridge uses Amazon Simple Notification Service (Amazon SNS) to route the notification to a security team.

When the custom AWS Config rule is evaluated, the AWS Lambda function fails to run.

Which solution will resolve the issue?

Modify the Lambda function's resource policy to grant AWS Config permission to invoke the function.

Modify the SNS topic policy to include configuration changes for EventBridge to publish to the SNS topic.

Modify the Lambda function's execution role to include configuration changes for custom AWS Config rules.

Modify all the ECR repository policies to grant AWS Config access to the necessary ECR API actions.

Correct Answer: A

To resolve the issue where the AWS Lambda function fails to run when the custom AWS Config rule is evaluated, the Lambda function's resource policy needs to be modified to grant AWS Config permission to invoke the function. This allows AWS Config to trigger the Lambda function properly as part of its rule evaluation.

Discussion

tgv

---> A

d9iceguyOption: A

Resource policy should allow Config invocation

amehim

A. Modify the Lambda function's resource policy to grant AWS Config permission to invoke the function. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:region:account-id:function:function-name" } ] }